Virus Naming. The "Who's who?" Dilemma (2)

Got new malware. What shall we call it?

First regulatory attempt: the Caro System(continued)

An updated version of the CARO System was created in 1999, as a private initiative, and it was offered as a suggestion to be adopted by the entire antivirus industry. This update was intended to accommodate into the CARO naming system malware types that affected other platforms than MS-DOS. As stated by the author of the document, this change was triggered by the appearance of WM/Concept.A, the first macro virus to spread through Microsoft Word. Therefore, a proposal was made for the adoption of an extended form of the Caro standard: platform.type/caro-name [message]. In an attempt to further reflect the diversity of the malware population, the document also suggested considering the term “virus” as a default type and including other malware denominations in the Caro system: Trojan, dropper, worm, Joke, germ, etc. Other elements intended to make the malware name as clearly descriptive as possible were the language identifiers and the short message that was supposed to clarify to the end user the malicious nature of the program.

Here is an example of a malware name that follows this model:Win32.MSNWorm.Rachel.A

Figure 2:Virus name based on the updated Caro model (1999)

The Wildlist Approach

In his statement on How Scientific Naming Works,Joe Wells, CEO of Wildlist Organization International approaches the inconvenients of virus naming from a very practical point of view. In the absence of a scientific naming system, such as in biology, and of a unified collection of virus samples that any researcher in this domain can access, a virus name should not be viewed as correct/wrong and all the existing names of a virus should be considered to be equally valid.

He points out an extremely important aspect that tends to be disregarded in this debate: the ultimate purpose is to warn the end-users of the threat, no matter what the name this threat is presented under. As the accuracy of virus identification (is it new? is it a variant of an existing one?, etc.) becomes the main focus, naming remains a secondary issue. To put it simply, any malware sample should be identified by its Caro name, if not, by what the majority calls it, if not, by what the first person to discover it called it.

Towards a Common Malware Denomination

In 2005, during a Virus Bulletin Conference, a new attempt was made to bring order into the malware denomination system. This is when the CME initiative was born, bringing together several major players in the data security industry that aimed “[…] to provide a common name for high profile threats in the hope that customers will be able to protect their computers from malware attacks more effectively.”

The organizations that signed up to the CME agreed on a common malware identifier format, namely: CME- N, where N is an integer between 1 and 999. As illustrated by the CME list, one CME-N identifier corresponds to several aliases of the same malware sample. For instance CME-416 is the same as:

 Trojan.Downloader.AOW (BitDefender)

 Email-Worm.Win32.Warezov.dc (Kaspersky)

 W32/Stration.dr (Mcafee)

 W32/Stratio-AW( Sophos), etc.  

In addition to that, in keeping with its encyclopedic aim, the list provides a description of the malware sample and the date of its activation. 

Despite its capacity to bring more clarity into the matter of malware classification, some voices were skeptical about this system’s ability to keep up with the tremendous speed at which the antimalware industry works. The need to deliver a solution to counter each threat as soon as possible will most likely prevail over this new naming requirement, which will probably only be applied post factum. In other words, in the identification stage, there will be just as many malware sample aliases, but in the classification stage, there will be a way for several aliases to be reunited under a distinct CME-N identifier. 

Although efforts have been made towards reaching a consensus on virus naming rules, diversity seems to hold the upper hand for the moment. Therefore, when trying to figure out the principles behind virus naming, sheer inspiration appears to be the answer. (to be continued)

About the author

Sabina DATCU

Sabina Datcu, PhD has background training in Applied Informatics and Statistics, Biology and Foreign Languages and Literatures. In 2003 she obtained a master degree in Systems Ecology and in 2009 a PhD degree in Applied Informatics and Statistics.
Since 2001, she was involved in University of Bucharest's FP 5 and FP6 European projects, as researcher in Information and Knowledge Management field.

In 2009, she joined the E-Threat Analysis and Communication Team at BitDefender as technology writer and researcher, and started to write a wide range of IT&C security-related content, from malware, spam and phishing alerts to technical whitepapers and press releases.